b"   Statement of Gregory H. Friedman\n\n            Inspector General\n\n       U.S. Department of Energy\n\n\n                 Before the\n\nSubcommittee on Oversight and Investigations\n                   of the\n    Committee on Energy and Commerce\n\n       U.S. House of Representatives\n\n\n\n\n                              FOR RELEASE ON DELIVERY\n                                                 10:00 AM\n                                       Friday, June 9, 2006\n\x0cMr. Chairman and members of the Subcommittee, I am pleased to be here at your request\n\nto testify on cyber security issues at the Department of Energy.\n\n\nThe Department of Energy, which spends over $2 billion each year on information\n\ntechnology (IT), has a current inventory of approximately 800 information systems,\n\nincluding up to 115,000 personal computers; many powerful supercomputers; numerous\n\nservers; and, a broad array of related peripheral equipment. These systems process\n\noperational, financial, and highly classified national security data. The need to protect\n\nthis data and the related systems is of paramount concern to the Department and to the\n\nOffice of Inspector General (OIG).\n\n\n\nAs is widely recognized both in the private and public sectors, the threat of intrusion or\n\ndamage to information networks and systems continues to grow as cyber-related attacks\n\nbecome more sophisticated. The media regularly carries stories about malicious\n\nintrusions and compromises of sensitive data. Within the Department of Energy\n\ncomplex, on a regular basis, hackers attempt to intrude or cause damage to the\n\nDepartment\xe2\x80\x99s networks and systems. Cyber security threats of this sort reinforce the need\n\nfor an aggressive Departmental program of controls and safeguards to protect against any\n\ncompromise of vital data.\n\n\nThe Office of Inspector General has a proactive program to assess the effectiveness of the\n\nDepartment\xe2\x80\x99s cyber security strategy. For the last four years, the OIG has categorized\n\ninformation technology and systems security as one of the Department of Energy\xe2\x80\x99s most\n\nsignificant management challenges. This was based on internal control weaknesses\n\n\n\n                                             1\n\x0cidentified as part of the Inspector General\xe2\x80\x99s regular evaluation of the Department\xe2\x80\x99s cyber\n\nsecurity program. These reviews include the annual evaluation required under the\n\nFederal Information Security Management Act (FISMA) and other cyber security-related\n\nreviews focusing on high-risk activities. In addition, the OIG\xe2\x80\x99s technology crimes unit,\n\nwith its highly trained special agents, regularly and successfully investigates malicious\n\nattacks on Department systems.\n\n\nIn today\xe2\x80\x99s testimony I would like to highlight continuing challenges identified through\n\nour work in cyber security. I will outline results from completed activities and criminal\n\ninvestigations, and discuss ongoing review efforts.\n\n\n\n2005 FISMA Evaluation\n\n\nThe purpose of the Federal Information Security Management Act of 2002 was to elevate\n\nattention to the issue of information technology security within the Federal sector. Under\n\nFISMA, each agency is required to develop, document, and implement an agency-wide\n\nprogram to provide security for the information and systems that support core operations.\n\nIt also requires that agency Inspectors General conduct an annual independent evaluation\n\nof their Department\xe2\x80\x99s unclassified cyber security program and practices. At the\n\nDepartment, the evaluation is performed in conjunction with our annual Audit of the\n\nDepartment\xe2\x80\x99s Financial Statements and leverages testing of information technology\n\ncontrols performed on individual site and Department-wide financial systems.\n\n\nLast year, as part of this evaluation, we conducted reviews at 27 sites, which, depending\n\nupon the location, included examinations of the Department\xe2\x80\x99s compliance with\n\n\n                                             2\n\x0cinformation system-related laws and regulations; tests of general and application controls;\n\nand, vulnerability and penetration testing. We also incorporated information gathered by\n\nand conclusions reached by KPMG, our financial statement contractor; reports issued by\n\nthe Government Accountability Office; inspection results obtained from the\n\nDepartment\xe2\x80\x99s Office of Independent Oversight; and, other internal studies.\n\n\nOur 2005 review noted systemic cyber security problems that exposed the Department\xe2\x80\x99s\n\ncritical systems to an increased risk of compromise. Specifically:\n\n\n   \xe2\x80\xa2   The Department had not yet established a complete inventory of information\n\n       systems; nor, had it identified all of the existing interfaces between internal and\n\n       external systems and networks. These tasks are critical to planning and\n\n       implementing protective efforts.\n\n\n   \xe2\x80\xa2   Many sites had not completed or properly performed certification and\n\n       accreditation of all their major and general support systems. This process verifies\n\n       that the Department\xe2\x80\x99s systems are secure for operation and enables program\n\n       officials to address high-risk issues through cost-effective mitigation strategies.\n\n\n   \xe2\x80\xa2   The Department had not resolved noted problems with critical security controls\n\n       such as access authority, segregation of duties, and configuration management.\n\n       These safeguards and controls are designed to protect computer resources from\n\n       unauthorized modification or loss and to prevent fraudulent activities.\n\n\n\n\n                                             3\n\x0c   \xe2\x80\xa2   Contingency plans, necessary to ensure that systems could continue or resume\n\n       operations in the event of an emergency, disaster, or malicious intrusion event,\n\n       had not been completed for certain critical systems.\n\n\n   \xe2\x80\xa2   Department elements did not always report cyber security incidents to law\n\n       enforcement officials, as required. Failure to report these occurrences jeopardizes\n\n       the timely investigation and resolution of these matters.\n\n\nSimilarly, our Audit of the Department of Energy\xe2\x80\x99s 2005 Consolidated Financial\n\nStatements (DOE/OAS-FS-06-01, November 2005) noted network vulnerabilities;\n\nweaknesses in access controls; and, other security shortcomings in the Department\xe2\x80\x99s\n\nunclassified computer information systems. These shortcomings increased the risk that\n\nmalicious destruction, alteration of data, or other unauthorized processing could occur.\n\nAs a result, \xe2\x80\x9cUnclassified Network and Information Systems Security\xe2\x80\x9d was designated as\n\na reportable condition. An Information Technology Management Letter, which detailed\n\n25 site-specific vulnerability findings, was issued as part of the 2005 Financial Statement\n\nAudit Report.\n\n\nCriminal Investigations and Internal Control Weaknesses\n\n\nAs part of its law enforcement mission, the OIG aggressively pursues those who have\n\nattempted to compromise or inflict damage on the Department\xe2\x80\x99s computer systems. In\n\nthis role, we have successfully investigated a number of intrusions with both national and\n\ninternational connections. We work closely with Department of Justice prosecutors and\n\nthe Federal Bureau of Investigation in pursuing these matters and have worked on\n\n\n                                             4\n\x0cspecific cases with external law enforcement agencies such as New Scotland Yard and\n\nthe Royal Canadian Mounted Police.\n\n\nBecause the Department has to deal with frequent intrusion attempts that could\n\ncompromise systems, it is critical that strong security controls are implemented and\n\nappropriately executed. Our investigations have revealed problems with the deployment\n\nof controls in certain areas; for example, we have observed, in past investigations, a\n\nnumber of internal control weaknesses related to poor password administration. In one\n\ninvestigation, we determined that employees of a United States-based computer security\n\ncompany compromised unclassified Department of Energy and other government\n\nsystems. Company officials were able to gain access to scientific data from a\n\nHeadquarters system through the use of hacker tools that exploited a password\n\nvulnerability. Three individuals pled guilty in connection with those activities.\n\n\n\nDuring another criminal investigation, we determined that two individuals within the\n\nUnited States gained access to an unclassified website belonging to Sandia National\n\nLaboratory, part of the Department of Energy\xe2\x80\x99s national laboratory network. They were\n\nable to gain access by exploiting a default password. These individuals pled guilty and\n\nhave been sentenced in connection with their activities. In yet another investigation, an\n\nindividual compromised a network at the Fermi National Laboratory, again by taking\n\nadvantage of problems with weak password administration. The hacker, who pled guilty\n\nto his activities, used the system as his personal storage site to host illegal software \xe2\x80\x93\n\ncreating the ability for others to download the intruder\xe2\x80\x99s data from the Department\xe2\x80\x99s\n\nsystems.\n\n\n                                               5\n\x0cOngoing Reviews\n\n\nAs noted previously, the Department invests over $2 billion each year for information\n\ntechnology throughout its complex. It is essential, especially given the size of the\n\nresource commitment, that all IT and cyber security initiatives be economic and efficient.\n\nTo address this concern, we perform focused reviews on information technology-related\n\nareas. Over the course of such work, we have identified millions of dollars in potential\n\nsavings in findings related to enterprise architecture, enterprise licensing, and IT support\n\nservices.\n\n\n\nThe OIG is currently conducting comprehensive reviews directed at three key elements of\n\ncyber security: the Department\xe2\x80\x99s Systems Certification and Accreditation Process; its\n\nCyber and Computer Forensics Analysis Capabilities; and, its Security Configuration and\n\nVulnerability Management Program.\n\n\n                     Systems Certification and Accreditation Process\n\n\nSystems certification and accreditation is an essential step in verifying that the\n\nDepartment\xe2\x80\x99s systems are secure for operation. As noted previously, we identified\n\nmultiple problems with the certification and accreditation process at certain sites; and, as\n\na consequence, we initiated a review to determine whether the Department\xe2\x80\x99s systems\n\nhave been appropriately certified and accredited for operation.\n\n\n                   Cyber and Computer Forensics Analysis Capabilities\n\n\n\n                                              6\n\x0cAn ongoing effort is examining whether the Department had formally developed and\n\nimplemented a unified, effective, and efficient means of analyzing and acting on\n\ninformation related to malicious attacks or intrusions. As part of this audit, we are\n\nfollowing up on problems with cyber incident reporting previously identified by the OIG\n\nin 2003.\n\n\n                  Security Configuration and Vulnerability Management\n\n\nBuilding on findings in prior years and on the work already completed by our financial\n\nstatement auditor, an audit team is examining operating systems and applications. This\n\neffort will determine, among other things, whether minimum security configuration\n\nstandards have been established and implemented at Headquarters and Department field\n\nsites.\n\n\n\n\nStatus of the 2006 Office of Inspector General FISMA Evaluation\n\n\n\nThe Office of Inspector General is currently conducting the 2006 evaluation of the\n\nDepartment\xe2\x80\x99s Cyber Security Program. This Department-wide effort includes site-level\n\nevaluations \xe2\x80\x93 consisting of vulnerability and penetration testing and general and\n\napplication controls testing \xe2\x80\x93 at eight sites: the NNSA Service Center in Albuquerque;\n\nLos Alamos National Laboratory; Sandia National Laboratories; the Chicago Operations\n\nOffice; Argonne National Laboratory; the Kansas City Plant; the Y-12 Plant; and the\n\nNational Energy Technology Laboratory. We are performing follow-up reviews at 12\n\n\n\n\n                                             7\n\x0cadditional sites. We are also specifically evaluating corrective actions and new initiatives\n\nbegun this year by the Office of the Chief Information Officer.\n\n\n\n\nAs you are no doubt aware the Department of Veterans Affairs (VA) recently\n\nexperienced the loss of sensitive personal data for millions of Veterans and, apparently, a\n\nlarge number of active duty personnel. This has understandably raised concerns about\n\nidentity theft and related problems. My colleague, the Inspector General for the VA, has\n\ninitiated several probes into this matter. As part of our ongoing FISMA evaluation, we\n\nintend to determine if the Department has taken action to prevent compromises similar to\n\nthose which recently occurred at the VA.\n\n\n\nConclusion\n\n\nThe Department has informed us that, as a result of the concerns raised by our office, it\n\nhas initiated actions to strengthen its cyber security program. In particular, under the\n\ndirection of Secretary Bodman and Deputy Secretary Sell, it has implemented a number\n\nof countermeasures to reduce network vulnerabilities and embarked on a revitalization\n\ninitiative that will focus high-level management attention on cyber issues. These efforts\n\nare promising and, if fully implemented, should help improve the Department\xe2\x80\x99s cyber\n\nsecurity posture. While the Department is moving aggressively in this area, much\n\nremains to be done. As the House of Representatives Committee on Government Reform\n\nhas recognized for the past three years through its ratings of Federal agencies\xe2\x80\x99 cyber\n\nsecurity programs, significant weaknesses continue to exist at the Department of Energy.\n\n\n\n\n                                              8\n\x0cThe threat to the Department's systems is constantly evolving as hackers develop new and\n\nincreasingly sophisticated tools and techniques. The potential for harm is not limited to\n\nmalicious internet-based attacks, but also includes other efforts by internal users to gain\n\naccess to resources or information to which they are not entitled. Constant vigilance is\n\nrequired to establish and maintain a defensive posture that is sufficient to prevent or\n\nquickly detect problems. The Office of Inspector General is committed to fulfilling its\n\nresponsibilities by continuing to conduct a wide range of reviews to identify opportunities\n\nfor improvement and investigate intrusion attempts on the Department\xe2\x80\x99s systems and\n\nnetworks.\n\n\nMr. Chairman, this concludes my statement and I would be pleased to answer any\n\nquestions.\n\n\n\n\n                                              9\n\x0c"